Title: Oracle 9I Application Server PL/SQL Apache Module Directory Traversal Vulnerability
Severity: CRITICAL
Description:
Oracle 9i Application Server comes with an Apache-based web server and support for environments such as SOAP, PL/SQL, XSQL and JSP.
The PL/SQL Apache module for Oracle 9iAS provides functionality for remote
administration of the Database Access Descriptors and access to help pages.
The PL/SQL Apache module does not perform sufficient input validation on double encoded URLs. This makes it possible for a remote attacker to submit a specially crafted web request contained double encoded variations of dot-dot-slash (../) sequences to effectively break out of the 'admin' directory.
To successfully exploit this issue, the dot-dot-slash sequences must be appended to a request for a help file.
If the attacker can browse the filesystem of the host, they can display the contents of arbitrary web-readable files.
This is only an issue on Microsoft Windows NT/2000 operating systems. However, since the Apache process runs with SYSTEM privileges, the definition of an arbitrary web-readable file can be interpreted to mean any file of the system which can be displayed in a web browser.
Affected Products:
- Oracle Oracle9i Application Server
References:
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
